You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: keps/sig-auth/3257-cluster-trust-bundles/README.md
+3-9Lines changed: 3 additions & 9 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -346,10 +346,6 @@ Kubelet in the cluster. When they are updated, workloads will need to receive
346
346
the updates fairly quickly (within 5 minutes across the whole cluster), to
347
347
accommodate emergency rotation of trust anchors for a private CA.
348
348
349
-
Security: Should individual trust anchor set entries designate an OCSP endpoint
350
-
to check for certificate revociation? Or should we require the URL to be
351
-
embedded in the issued certificates? Note: This question is deferred from the 1.30 beta scope, and will be discussed as an addition to the beta scope in 1.31.
352
-
353
349
## Design Details
354
350
355
351
### ClusterTrustBundle Object
@@ -375,18 +371,16 @@ as long as their name does not contain a colon.
375
371
Multiple ClusterTrustBundle objects may be associated with a single signer.
376
372
While each object is independent at the API level, consumers (mostly Kubelet)
377
373
will select trust anchors by a combination of field selector on signer name, and
378
-
a label selector. Signer controllers may follow the convention of making the
379
-
label selector `kubernetes.io/cluster-trust-bundle-version=live` correspond to a
380
-
meaningful set of trust anchors. In general, users are expected to read the documentation for their signer controller implementation in order to determine which label selectors to use for their needs, including [canarying](#canarying-changes-to-a-clustertrustbundle).
374
+
a label selector. In general, users are expected to read the documentation for their signer controller implementation in order to determine which label selectors to use for their needs, including [canarying](#canarying-changes-to-a-clustertrustbundle).
381
375
382
376
ClusterTrustBundle objects support `.metadata.generation`.
383
377
384
378
ClusterTrustBundle creates and updates that result in an empty
385
-
`.spec.pemTrustAnchors`will be rejected during validation.
379
+
`.spec.trustBundle`will be rejected during validation.
386
380
387
381
All of the new objects and fields described in this section are gated by the
388
382
ClusterTrustBundle kube-apiserver feature gate. Unless the feature gate is
389
-
enabled, usage of these alpha objects and fields will be rejected by
383
+
enabled, usage of these objects and fields will be rejected by
0 commit comments